Policy Reference

Category Computer and User Operations
Approval Date 01-29-2010
Scope All Personnel

Purpose

In order to ensure a reliable and secure IT environment, predefined system and resources settings must be maintained and new changes must be evaluated to ensure reliability and compatibility within the environment.


Policy

  1. Information Technology Services (ITS) is responsible for managing the City's computer resources. User changes to computer resource parameters shall be prohibited; all changes shall be made by ITS.(401.4.4)
  2. ITS has a variety of security mechanisms in place including firewalls, proxy services, etc. that help ensure the safety and security of the City network. Users are prohibited from attempts to disable, defeat, circumvent, or otherwise override any City security mechanism. (401.4.5)
  3. ITS shall be responsible for establishing desktop configuration.  Any modifications to this standard configuration shall require pre-approval from the Department Director with concurrence from ITS.   This does not prohibit users from making minor desktop changes such as creating additional desktop shortcuts, changing the wall paper, color themes or screen resolution.   Minor desktop changes will need to be maintained by the desktop user/operator.(406.4.10)
  4. Ensure that a change management program, with all necessary policies, and procedures is established to prevent unauthorized changes.
  5. A change management program, with all necessary policies, and procedures will be established to prevent unauthorized changes.
  6. Monitor changes to the information system and conduct security impact analysis and tests to determine the effects of the changes.
  7. Ensure that staff  and all appropriate parties sign off on each planned and implemented change, and that the system detects and protects against unauthorized changes.
  8. Ensure that there is a procedure to validate the system prior to making any changes.
  9. Ensure  back-out procedures for changes are in place so that the system can be reset if necessary.
  10. Ensure that each time a system is modified  according to the Change Management  plan, the backup data is then  updated  to ensure recoverability.

Compliance

  1. Change management is a necessary part of security management. Potential processes that change management handles include handling the changes in the importance of tasks, physical and environmental alterations, changes in the way IT is assessed, changes in business and legal demands, changes in hardware and software, changes in threats to the organization and the introduction of new technology. § 2.2.3, OGC ITIL: Security Management
  2. The organization should set up formal change management procedures to handle in a standardized manner all requests (including maintenance and patches) for changes to applications, procedures, processes, system and service parameters, and the underlying platforms. AI2.9, AI6.1, CobiT 4.1
  3. Change-control procedures should be in place for all software modifications. These change-control procedures should include the following: documentation on how the change will impact the customer, procedures for sign-off/acceptance on the changes by the appropriate parties, testing procedures for operational functionality, and back-out or de-installation procedures for cases when the change is rejected and will not be implemented. § 5.3 thru § 5.3.4, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1